Problem with check_eventlog
33 views
Skip to first unread message
Stefan Rudat
Oct 10, 2024, 8:13:24 AM10/10/24
to SNClient
Hi Seven,
Due to security reasons, we would like to replace NSClient++. Currently, we are testing SNClient+ v0.27 (Build: 365bf0d, go1.22.6) | ‘version’ = 0.27. During the evaluation process, we encountered issues with the check_eventlog command. Specifically, the command:
-c check_eventlog -a "filter=provider = 'Microsoft-Windows-GroupPolicy'"
always returns “OK - Event log seems fine,” even though the following event is present:
Protokollname: Application
Quelle: Microsoft-Windows-Security-SPP
Datum: 10.10.2024 12:37:31
Ereignis-ID: 8198
Aufgabenkategorie:Keine
Ebene: Fehler
Schlüsselwörter:Klassisch
BR
Stefan
Sven Nierlein
Oct 10, 2024, 8:16:36 AM10/10/24
to sncl...@googlegroups.com, Stefan Rudat
Hi,
could you try the latest nightly build, because there has been an issue fixed in
https://github.com/ConSol-Monitoring/snclient/issues/157
Cheers,
Sven
> --
> You received this message because you are subscribed to the Google Groups "SNClient" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to snclient+u...@googlegroups.com <mailto:snclient+u...@googlegroups.com>.
> To view this discussion on the web visit https://groups.google.com/d/msgid/snclient/ef193850-05c2-4fdc-ad86-7170de62733bn%40googlegroups.com <https://groups.google.com/d/msgid/snclient/ef193850-05c2-4fdc-ad86-7170de62733bn%40googlegroups.com?utm_medium=email&utm_source=footer>.
could you try the latest nightly build, because there has been an issue fixed in
https://github.com/ConSol-Monitoring/snclient/issues/157
Cheers,
Sven
> You received this message because you are subscribed to the Google Groups "SNClient" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to snclient+u...@googlegroups.com <mailto:snclient+u...@googlegroups.com>.
> To view this discussion on the web visit https://groups.google.com/d/msgid/snclient/ef193850-05c2-4fdc-ad86-7170de62733bn%40googlegroups.com <https://groups.google.com/d/msgid/snclient/ef193850-05c2-4fdc-ad86-7170de62733bn%40googlegroups.com?utm_medium=email&utm_source=footer>.
Stefan Rudat
Oct 15, 2024, 2:50:44 AM10/15/24
to SNClient
Hi Sven,
Thank you for your quick response. We have installed the latest nightly build version and conducted some tests with the trace function enabled.
I hope we used the correct command syntax. Please find the attached trace, which includes the version used, the result, and the corresponding Windows event.
Unfortunately, we are still receiving the message “OK - Event log seems fine” when using both commands, “id=8198” and “filter=provider = 'Microsoft-Windows-Security-SPP’”.
Ereignis-ID: 8198
Aufgabenkategorie:Keine
Ebene: Fehler
Schlüsselwörter:Klassisch
Thank you for your quick response. We have installed the latest nightly build version and conducted some tests with the trace function enabled.
I hope we used the correct command syntax. Please find the attached trace, which includes the version used, the result, and the corresponding Windows event.
Unfortunately, we are still receiving the message “OK - Event log seems fine” when using both commands, “id=8198” and “filter=provider = 'Microsoft-Windows-Security-SPP’”.
SNClient+ v0.27.0030 (Build: d7f2f28, go1.22.8) |'version'=0.27003
[2024-10-11 10:44:05.791][Trace][pid:1972][listener:317] incoming nrpe connection from 192.168.107.60:50932
[2024-10-11 10:44:05.811][Trace][pid:1972][listen_nrpe:106] nrpe v2 request: check_eventlog []string{" filter=provider = 'Microsoft-Windows-Security-SPP' id = 8198"}
[2024-10-11 10:44:05.811][Trace][pid:1972][snclient:694] command: check_eventlog
[2024-10-11 10:44:05.811][Trace][pid:1972][snclient:695] args: []string{" filter=provider = 'Microsoft-Windows-Security-SPP' id = 8198"}
[2024-10-11 10:44:05.811][Debug][pid:1972][listener:337] nrpe connection from 192.168.107.60:50932 finished in 19.6614ms
[2024-10-11 10:44:13.407][Trace][pid:1972][listener:317] incoming nrpe connection from 192.168.107.60:33194
[2024-10-11 10:44:13.437][Trace][pid:1972][listen_nrpe:106] nrpe v2 request: check_eventlog []string{" filter=provider = 'Microsoft-Windows-Security-SPP' and id = 8198"}
[2024-10-11 10:44:13.437][Trace][pid:1972][snclient:694] command: check_eventlog
[2024-10-11 10:44:13.437][Trace][pid:1972][snclient:695] args: []string{" filter=provider = 'Microsoft-Windows-Security-SPP' and id = 8198"}
[2024-10-11 10:44:13.474][Trace][pid:1972][check_eventlog_windows:51] fetching eventlog: Application
...
[2024-10-11 10:44:13.873][Trace][pid:1972][check_eventlog_windows:86] expanded unique filter: Application-Microsoft-Windows-Security-SPP-16384
[2024-10-11 10:44:13.873][Trace][pid:1972][check_eventlog_windows:86] expanded unique filter: Application-Microsoft-Windows-Security-SPP-8198
[2024-10-11 10:44:13.873][Trace][pid:1972][check_eventlog_windows:86] expanded unique filter: Application-Microsoft-Windows-Security-SPP-1003
....
[2024-10-11 10:44:17.588][Trace][pid:1972][checkdata:120] finalize check results:
[2024-10-11 10:44:17.588][Debug][pid:1972][checkdata:128] filter: provider = 'Microsoft-Windows-Security-SPP' and id = 8198
[2024-10-11 10:44:17.588][Debug][pid:1972][checkdata:129] condition warning: level = 'warning' or problem_count > 0
[2024-10-11 10:44:17.588][Debug][pid:1972][checkdata:130] condition critical: level in ('error', 'critical')
[2024-10-11 10:44:17.588][Debug][pid:1972][checkdata:131] condition ok: none
[2024-10-11 10:44:17.588][Trace][pid:1972][checkdata:133] details: map[string]string{"_state":"0", "detail-syntax":"%(file) %(source) (%(message))", "empty-syntax":"%(status) - No entries found", "ok-syntax":"%(status) - Event log seems fine", "top-syntax":"%(status) - %(count) message(s) %(problem_list)"}
[2024-10-11 10:44:17.588][Trace][pid:1972][checkdata:151] list data:
[2024-10-11 10:44:17.588][Trace][pid:1972][checkdata:174] - map[string]string{"_count":"5", "_state":"0", "computer":"VMSRV19-TESTVD.BSI.local", "file":"Application", "id":"8198", "level":"fehler", "log":"Application", "message":"Fehler bei der Lizenzaktivierung (slui.exe). Fehlercode:\r\nhr=0x87E10BC6\r\nBefehlszeilenargumente:\r\nRuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=175a4401-9571-44e3-b7ed-1418ac983e2b;NotificationInterval=1440;Trigger=UserLogon;SessionId=4", "provider":"Microsoft-Windows-Security-SPP", "source":"Microsoft-Windows-Security-SPP", "written":"2024-10-11 09:05:13 CEST", "writtenTS":"1728630313"}
[2024-10-11 10:44:17.588][Trace][pid:1972][checkdata:179] detail template: %(file) %(source) (%(message))
[2024-10-11 10:44:17.588][Trace][pid:1972][checkdata:213] output template: %(status) - Event log seems fine
[2024-10-11 10:44:17.588][Debug][pid:1972][listener:337] nrpe connection from 192.168.107.60:33194 finished in 4.1808928s
Protokollname: Application
Quelle: Microsoft-Windows-Security-SPP
Datum: 11.10.2024 09:05:13
[2024-10-11 10:44:05.791][Trace][pid:1972][listener:317] incoming nrpe connection from 192.168.107.60:50932
[2024-10-11 10:44:05.811][Trace][pid:1972][listen_nrpe:106] nrpe v2 request: check_eventlog []string{" filter=provider = 'Microsoft-Windows-Security-SPP' id = 8198"}
[2024-10-11 10:44:05.811][Trace][pid:1972][snclient:694] command: check_eventlog
[2024-10-11 10:44:05.811][Trace][pid:1972][snclient:695] args: []string{" filter=provider = 'Microsoft-Windows-Security-SPP' id = 8198"}
[2024-10-11 10:44:05.811][Debug][pid:1972][listener:337] nrpe connection from 192.168.107.60:50932 finished in 19.6614ms
[2024-10-11 10:44:13.407][Trace][pid:1972][listener:317] incoming nrpe connection from 192.168.107.60:33194
[2024-10-11 10:44:13.437][Trace][pid:1972][listen_nrpe:106] nrpe v2 request: check_eventlog []string{" filter=provider = 'Microsoft-Windows-Security-SPP' and id = 8198"}
[2024-10-11 10:44:13.437][Trace][pid:1972][snclient:694] command: check_eventlog
[2024-10-11 10:44:13.437][Trace][pid:1972][snclient:695] args: []string{" filter=provider = 'Microsoft-Windows-Security-SPP' and id = 8198"}
[2024-10-11 10:44:13.474][Trace][pid:1972][check_eventlog_windows:51] fetching eventlog: Application
...
[2024-10-11 10:44:13.873][Trace][pid:1972][check_eventlog_windows:86] expanded unique filter: Application-Microsoft-Windows-Security-SPP-16384
[2024-10-11 10:44:13.873][Trace][pid:1972][check_eventlog_windows:86] expanded unique filter: Application-Microsoft-Windows-Security-SPP-8198
[2024-10-11 10:44:13.873][Trace][pid:1972][check_eventlog_windows:86] expanded unique filter: Application-Microsoft-Windows-Security-SPP-1003
....
[2024-10-11 10:44:17.588][Trace][pid:1972][checkdata:120] finalize check results:
[2024-10-11 10:44:17.588][Debug][pid:1972][checkdata:128] filter: provider = 'Microsoft-Windows-Security-SPP' and id = 8198
[2024-10-11 10:44:17.588][Debug][pid:1972][checkdata:129] condition warning: level = 'warning' or problem_count > 0
[2024-10-11 10:44:17.588][Debug][pid:1972][checkdata:130] condition critical: level in ('error', 'critical')
[2024-10-11 10:44:17.588][Debug][pid:1972][checkdata:131] condition ok: none
[2024-10-11 10:44:17.588][Trace][pid:1972][checkdata:133] details: map[string]string{"_state":"0", "detail-syntax":"%(file) %(source) (%(message))", "empty-syntax":"%(status) - No entries found", "ok-syntax":"%(status) - Event log seems fine", "top-syntax":"%(status) - %(count) message(s) %(problem_list)"}
[2024-10-11 10:44:17.588][Trace][pid:1972][checkdata:151] list data:
[2024-10-11 10:44:17.588][Trace][pid:1972][checkdata:174] - map[string]string{"_count":"5", "_state":"0", "computer":"VMSRV19-TESTVD.BSI.local", "file":"Application", "id":"8198", "level":"fehler", "log":"Application", "message":"Fehler bei der Lizenzaktivierung (slui.exe). Fehlercode:\r\nhr=0x87E10BC6\r\nBefehlszeilenargumente:\r\nRuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=175a4401-9571-44e3-b7ed-1418ac983e2b;NotificationInterval=1440;Trigger=UserLogon;SessionId=4", "provider":"Microsoft-Windows-Security-SPP", "source":"Microsoft-Windows-Security-SPP", "written":"2024-10-11 09:05:13 CEST", "writtenTS":"1728630313"}
[2024-10-11 10:44:17.588][Trace][pid:1972][checkdata:179] detail template: %(file) %(source) (%(message))
[2024-10-11 10:44:17.588][Trace][pid:1972][checkdata:213] output template: %(status) - Event log seems fine
[2024-10-11 10:44:17.588][Debug][pid:1972][listener:337] nrpe connection from 192.168.107.60:33194 finished in 4.1808928s
Protokollname: Application
Quelle: Microsoft-Windows-Security-SPP
Datum: 11.10.2024 09:05:13
Ereignis-ID: 8198
Aufgabenkategorie:Keine
Ebene: Fehler
Schlüsselwörter:Klassisch
Benutzer: Nicht zutreffend
Computer: VMSRV19-TESTVD.BSI.local
Beschreibung:
Fehler bei der Lizenzaktivierung (slui.exe). Fehlercode:
hr=0x87E10BC6
Befehlszeilenargumente:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=175a4401-9571-44e3-b7ed-1418ac983e2b;NotificationInterval=1440;Trigger=UserLogon;SessionId=4
Ereignis-XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-SPP" Guid="{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" EventSourceName="Software Protection Platform Service" />
<EventID Qualifiers="49152">8198</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2024-10-11T07:05:13.092429300Z" />
<EventRecordID>20714</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>VMSRV19-TESTVD.BSI.local</Computer>
<Security />
</System>
<EventData>
<Data>hr=0x87E10BC6</Data>
<Data>RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=175a4401-9571-44e3-b7ed-1418ac983e2b;NotificationInterval=1440;Trigger=UserLogon;SessionId=4</Data>
</EventData>
</Event>
Computer: VMSRV19-TESTVD.BSI.local
Beschreibung:
Fehler bei der Lizenzaktivierung (slui.exe). Fehlercode:
hr=0x87E10BC6
Befehlszeilenargumente:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=175a4401-9571-44e3-b7ed-1418ac983e2b;NotificationInterval=1440;Trigger=UserLogon;SessionId=4
Ereignis-XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-SPP" Guid="{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" EventSourceName="Software Protection Platform Service" />
<EventID Qualifiers="49152">8198</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2024-10-11T07:05:13.092429300Z" />
<EventRecordID>20714</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>VMSRV19-TESTVD.BSI.local</Computer>
<Security />
</System>
<EventData>
<Data>hr=0x87E10BC6</Data>
<Data>RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=175a4401-9571-44e3-b7ed-1418ac983e2b;NotificationInterval=1440;Trigger=UserLogon;SessionId=4</Data>
</EventData>
</Event>
Stefan Rudat
Oct 15, 2024, 2:50:49 AM10/15/24
to SNClient
Hi Sven,
To proceed with the evaluation process, I used a small script. However, I encountered an issue where the level was numeric (`<Level>2</Level>`). I’ll include the test script below for your reference.
>< --------------------------------- cut from here with a sharp knife ---------------------------------------------------><
# Check-EventID.ps1
param (
[int]$EventID,
[string]$LogName = "Application"
)
$event = Get-WinEvent -FilterHashtable @{LogName=$LogName; ID=$EventID} -MaxEvents 1
if ($event) {
# Directly use the Level field (numerical value)
switch ($event.Level) {
1 { $level = "Critical" }
2 { $level = "Error" }
3 { $level = "Warning" }
4 { $level = "Information" }
5 { $level = "Verbose" }
default { $level = "Unknown" }
}
switch ($level) {
"Critical" {
Write-Output "CRITICAL - Event ID $EventID found in $LogName log. Event details: $($event.Message)"
exit 2
}
"Error" {
Write-Output "CRITICAL - Event ID $EventID found in $LogName log. Event details: $($event.Message)"
exit 2
}
"Warning" {
Write-Output "WARNING - Event ID $EventID found in $LogName log. Event details: $($event.Message)"
exit 1 os
}
"Information" {
Write-Output "OK - Event ID $EventID found in $LogName log. Event details: $($event.Message)"
exit 0
}
default {
Write-Output "UNKNOWN - Event ID $EventID found in $LogName log but level is unknown. Event details: $($event.Message)"
exit 3
}
}
} else {
Write-Output "OK - No Event ID $EventID found in $LogName log."
exit 0
}
$command -u -2 -H $IP -c EventCheck -a "8194 Application"
CRITICAL - Event ID 8194 found in Application log. Event details: Die clientseitige Erweiterung konnte die Benutzer-Richtlinieneinstellungen f�r Default Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9} nicht �bernehmen. Fehlercode: 0x80070003 Das System kann den angegebenen Pfad nicht finden. Weitere Details finden Sie in der Ablaufverfolgungsdatei
CRITICAL - Event ID 8194 found in Application log. Event details: Die clientseitige Erweiterung konnte die Benutzer-Richtlinieneinstellungen f�r Default Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9} nicht �bernehmen. Fehlercode: 0x80070003 Das System kann den angegebenen Pfad nicht finden. Weitere Details finden Sie in der Ablaufverfolgungsdatei
BR
Stefan
Sven Nierlein schrieb am Donnerstag, 10. Oktober 2024 um 14:16:36 UTC+2:
Sven Nierlein
Jan 23, 2025, 4:25:59 AMJan 23
to Stefan Rudat, sncl...@googlegroups.com
Hi,
i finally was able to have a close look. The issue here is, the snclient fetches the event log via wmi. But wmi cannot access
the "custom logs". Seems like this is only possible with either the powershell get-winevent or the wevtutil.exe.
I'll see if i can incorporate those commands in the check_eventlog...
Regards,
Sven
> https://github.com/ConSol-Monitoring/snclient/issues/157 <https://github.com/ConSol-Monitoring/snclient/issues/157>
i finally was able to have a close look. The issue here is, the snclient fetches the event log via wmi. But wmi cannot access
the "custom logs". Seems like this is only possible with either the powershell get-winevent or the wevtutil.exe.
I'll see if i can incorporate those commands in the check_eventlog...
Regards,
Sven
>
> Cheers,
> Sven
>
>
> On 10.10.24 14:07, Stefan Rudat wrote:
> > Hi Seven,
> >
> > Due to security reasons, we would like to replace NSClient++. Currently, we are testing SNClient+ v0.27 (Build: 365bf0d, go1.22.6) | ‘version’ = 0.27. During the evaluation process, we encountered issues with the check_eventlog command. Specifically, the command:
> >
> >
> > -c check_eventlog -a "filter=provider = 'Microsoft-Windows-GroupPolicy'"
> >
> > always returns “OK - Event log seems fine,” even though the following event is present:
> >
> > Protokollname: Application
> >
> > Quelle: Microsoft-Windows-Security-SPP
> >
> > Datum: 10.10.2024 12:37:31
> >
> > Ereignis-ID: 8198
> >
> > Aufgabenkategorie:Keine
> >
> > Ebene: Fehler
> >
> > Schlüsselwörter:Klassisch
> >
> > BR
> >
> > Stefan
> >
> > --
> > You received this message because you are subscribed to the Google Groups "SNClient" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to snclient+u...@googlegroups.com <mailto:snclient+u...@googlegroups.com>.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/snclient/ef193850-05c2-4fdc-ad86-7170de62733bn%40googlegroups.com <https://groups.google.com/d/msgid/snclient/ef193850-05c2-4fdc-ad86-7170de62733bn%40googlegroups.com> <https://groups.google.com/d/msgid/snclient/ef193850-05c2-4fdc-ad86-7170de62733bn%40googlegroups.com?utm_medium=email&utm_source=footer <https://groups.google.com/d/msgid/snclient/ef193850-05c2-4fdc-ad86-7170de62733bn%40googlegroups.com?utm_medium=email&utm_source=footer>>.
> Cheers,
> Sven
>
>
> On 10.10.24 14:07, Stefan Rudat wrote:
> > Hi Seven,
> >
> > Due to security reasons, we would like to replace NSClient++. Currently, we are testing SNClient+ v0.27 (Build: 365bf0d, go1.22.6) | ‘version’ = 0.27. During the evaluation process, we encountered issues with the check_eventlog command. Specifically, the command:
> >
> >
> > -c check_eventlog -a "filter=provider = 'Microsoft-Windows-GroupPolicy'"
> >
> > always returns “OK - Event log seems fine,” even though the following event is present:
> >
> > Protokollname: Application
> >
> > Quelle: Microsoft-Windows-Security-SPP
> >
> > Datum: 10.10.2024 12:37:31
> >
> > Ereignis-ID: 8198
> >
> > Aufgabenkategorie:Keine
> >
> > Ebene: Fehler
> >
> > Schlüsselwörter:Klassisch
> >
> > BR
> >
> > Stefan
> >
> > --
> > You received this message because you are subscribed to the Google Groups "SNClient" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to snclient+u...@googlegroups.com <mailto:snclient+u...@googlegroups.com>.
>
> --
> You received this message because you are subscribed to the Google Groups "SNClient" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to snclient+u...@googlegroups.com <mailto:snclient+u...@googlegroups.com>.
> To view this discussion on the web visit https://groups.google.com/d/msgid/snclient/fed8dc60-19cc-4c59-9bd5-51920c96f1b8n%40googlegroups.com <https://groups.google.com/d/msgid/snclient/fed8dc60-19cc-4c59-9bd5-51920c96f1b8n%40googlegroups.com?utm_medium=email&utm_source=footer>.
> --
> You received this message because you are subscribed to the Google Groups "SNClient" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to snclient+u...@googlegroups.com <mailto:snclient+u...@googlegroups.com>.
Reply all
Reply to author
Forward
0 new messages